It is time to move critical systems to a secure, restricted Internet that is safe from attackers, warns an FBI official
With malicious perpetrators increasingly devising sophisticated, complex attacks against critical systems controlling critical infrastructure, such as power plants and financial institutions, the time has come to consider a new secure alternative Internet, according to a top government official.
The threats facing critical systems are not going away, and the systems can never be secure enough to thwart the attacks completely, said Shawn Henry, the executive assistant director of the Federal Bureau of Investigation, told attendees at an International Systems Security Association conference in Baltimore on 20 October. Cyber-threats will always evolve and outpace efforts to defend networks, he said.
One way to protect critical utility and financial systems would be to set up a secure Internet that was separate from the regular public Internet, Henry said. The alternative Internet would not allow anonymity, and only known and trusted individuals would have access to the systems, he said.
Attackers, whether they are cyber-criminals, terrorist groups or cyber-spies, are devising “novel ways” to steal information and compromise critical infrastructure, Henry said. Cyber-attacks are an “existential threat” that can put a company out of business, shut down infrastructure and even kill people, he said.
He acknowledged that he might sound “alarmist”, but said it was important to realise these kinds of attacks are occurring every day and are one of the “most serious threats” facing the nation.
Terrorist groups have in the past focused on “kinetic” attacks but are now looking at moving into cyber-space, according to Henry. Cyber-attacks are cheaper, easier, faster and “much much more lucrative” than the old kinetic attacks, he said.
While some people would claim these groups don’t have the capability to launch cyber-attacks, which Henry found “arguable”, it is actually possible to rent or buy attack software and infrastructure, or individuals with the skills to launch attacks.
“Just because something hasn’t been done before doesn’t mean they won’t do it,” Henry said.
The FBI has made cyber-attacks a top priority, and the agency is working with international partners and with domestic law enforcement to investigate and track down cyber-criminals. Information sharing was critical for defense, as the government shares information about threats with the private sector and academic institutions to help figure out defenses.
“I can’t tell you how many times we’ve walked into a company and told them they’ve been breached, and they had no idea,” and often had been compromised for months, Henry said. However, everything the FBI was doing was reactive, he said, as something bad has already happened.
The Internet is “arguably the greatest invention”, but it has become an “incredibly dangerous place”, he said.
“We have to imagine things that haven’t been imagined before” to stay ahead of attackers, Henry said. Drawing on the physical world for his analogies, Henry said the Internet needs better community-watch programmes, and more gated communities to protect systems and data. There needs to be less homeowner’s insurance, which focuses on mitigating damage after the threat.
An alternate Internet would be built with the intention of securing critical systems from Day One. A “guard post” was necessary to define rules on who can enter the secured environment and access the systems. Access rules must be strict, and the people allowed in must aggressively report bad guys and suspicious behavior, Henry said.
In addition to an alternate network, the FBI advocates taking highly sensitive data offline altogether, Henry said, echoing a sentiment made by Richard Clarke, former counter-terrorism czar, last week at the Mandiant Incident Response conference in Washington, D.C. If vulnerable infrastructure was disconnected from the Internet, the systems would be much more secure because of the number of threats that would be removed, Clarke said.